Cell Phone Spying Service Leaking Data?

Last week, the geek news world was abuzz with news of a spying service that lets people intercept text messages, call logs, e-mails and other information from BlackBerry and Windows Mobile-equipped smart phones. But it appears the privacy threat is even bigger: According to evidence unearthed by at least one security researcher, the company that offers the intercept service has left its database freely viewable to anyone with a Web browser.

The service at issue, FlexiSPY, is touted as one that can help customers "catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms [sic] etc." The company even offers a demo account that potential customers can use to check out a sampling of intercepted communications.

One security researcher found that by using this application, people are exposing the records of those they're spying on to the entire world. The trouble stems from the fact that each item in the database is assigned a specific numeric ID, which is contained in the URL. According to this advisory, penned by a researcher at AirScanner, a mobile and wireless security company, by simply modifying that address, the demo account allows full access to the database going back at least until the middle of last year.

I contacted Vervata LTD, the London-based company that owns FlexiSPY, but have yet to hear back. But AirScanner's advisory has been live since June 14, and the FlexiSPY phone records database still appears to be wide open. An update posted to that advisory on June 29 states: "According to an anonymous source who contacted us after this was posted on Bugtraq, the FlexiSPY web application was previously discovered by numerous people and has been exploited repeatedly."

Update, 10:56 a..m: I spoke by phone this morning with Atir Raihan, Vervata's managing director. Raihan said the company was not aware of any vulnerability in the company's database, and that when visitors type in custom URLs after logging into the FlexiSPY demo account, they are automatically kicked back to the login page. Security Fix tested his claim and found it to be true, although up until at least June 28, the hack detailed by AirScanner did indeed work as described.

Gee, commercial companies can do for money what reporters rake the government over the coals for trying to do to find crooks and terrorists. wonder if (or why not) the NSA/CIA/etc could pay them to use the program? probably cheaper than all that spying and baiting online.